b"                                   SOCIAL SECURITY\nMEMORANDUM\n\nDate:   September 24, 2009                                           Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Follow-up: The Social Security Administration\xe2\x80\x99s Computer Security Program\n        Compliance (A-14-09-19048)\n\n\n        The attached final report presents the results of our audit. Our objective was to\n        determine whether the Social Security Administration had implemented the\n        recommendations in our June 2001 report, Compliance of the Social Security\n        Administration\xe2\x80\x99s Computer Security Program with Applicable Laws and Regulations\n        (A-13-98-12044).\n\n        Please provide within 60 days a corrective action plan that addresses each\n        recommendation. If you wish to discuss the final report, please call me or have your\n        staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at\n        (410) 965-9700.\n\n\n\n                                                       S\n                                                          Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n        Attachment\n\x0c            OFFICE OF\n     THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n              FOLLOW-UP:\n THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nCOMPUTER SECURITY PROGRAM COMPLIANCE\n\n     September 2009   A-14-09-19048\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                             Executive Summary\nOBJECTIVE\nOur objective was to determine whether the Social Security Administration (SSA) had\nimplemented the recommendations in our June 2001 report, Compliance of the Social\nSecurity Administration\xe2\x80\x99s Computer Security Program with Applicable Laws and\nRegulations (A-13-98-12044).\n\nBACKGROUND\nOur 2001 audit examined whether SSA\xe2\x80\x99s computer security program complied with the\nComputer Security Act of 1987, the Government Information Security Reform Act of\n2000 (GISRA), and other applicable laws, regulations, and Federal guidance. Our\nJune 2001 report stated that SSA lacked a strong framework for overall security\nadministration, policy development, and policy implementation. We recommended that\nSSA:\n\n1. Centralize its systems security management structure to comply with GISRA and\n   other applicable laws.\n\n2. Develop a more inclusive system security plan for the mainframe and distributed\n   computing environments.\n\n3. Implement a global e-mail and other appropriate methods for broadcasting computer\n   incidents.\n\n4. Develop sanctions for users who cause system disruptions or share passwords.\n\n5. Develop a computer system security manual consistent with guidance provided by\n   the National Institute of Standards and Technology, and incorporate in it all existing\n   computer security policies.\n\nRESULTS OF REVIEW\nSSA considered each of the five prior recommendations to be implemented and closed.\nOur follow-up review determined that SSA had implemented Recommendations 2 and\n4. However, SSA had not fully addressed Recommendations 1, 3 and 5. Despite\nSSA\xe2\x80\x99s efforts to address these recommendations, our current review found that:\n\n\xef\x82\xb7 SSA continued to have a decentralized/fragmented information security management\n  structure;\n\xef\x82\xb7 the Office of the Chief Information Officer did not have sufficient delegated authority\n  and resources to carry out its responsibilities for SSA\xe2\x80\x99s information security program;\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                  i\n\x0c\xef\x82\xb7 SSA had not sufficiently documented its policy and procedures to ensure all systems\n  users receive timely notification of imminent security incidents; and\n\xef\x82\xb7 SSA\xe2\x80\x99s Information Systems Security Handbook (ISSH) did not cover all security\n  areas and contained outdated and inaccurate information.\n\nAlthough SSA had complied with certain security-related requirements, there are\nopportunities to improve the efficiency and effectiveness of the overall program. We\nbelieve a centralized approach to security management would be in line with the current\nAgency initiative of adopting a more integrated and seamless approach to systems\ndevelopment to address the Agency\xe2\x80\x99s growing needs effectively and efficiently.\n\nCONCLUSION AND RECOMMENDATIONS\nSSA has taken some actions to address the five recommendations from our prior report.\nTwo recommendations were fully implemented, and partial corrective action has been\ntaken on the remaining three. Based on our review and the current guidance on\ninformation security, we believe a centralized information security management\nstructure will better position the Agency to effectively manage and monitor its agency-\nwide information security program. As such, we reaffirm the merits of our original\nRecommendation 1 and recommend that SSA:\n\n1. Centralize its security management structure to ensure a coordinated approach to its\n   agency-wide information security program.\n\n2. Clearly delineate roles, responsibilities, and lines of communication that report to a\n   single management focal point.\n\nWe have also revised previous, or included new recommendations to ensure full\ncompliance with our prior recommendations and/or to address new issues we identified\nduring the course of this audit. We recommend SSA:\n\n3. Ensure the Chief Information Officer (CIO) has sufficient delegated authority and\n   resources to fulfill his security responsibilities according to applicable laws,\n   regulations, and guidance.\n\n4. Update its agency-wide Information Security Program Plan.\n\n5. As appropriate, ensure written polices and procedures require notification of all\n   Agency systems users for certain computer incidents.\n\n6. Update the ISSH with the most current and accurate information and consider\n   further delineating security roles and responsibilities of Agency components and\n   security officers related to the subject matter in each chapter. SSA should include\n   all security policies or references in the ISSH.\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                  ii\n\x0cAGENCY COMMENTS\nSSA agreed with Recommendations 4, 5, and 6, but deferred responding to\nRecommendations 1, 2, and 3 until the CIO has the opportunity to review the issues\ndiscussed in the report. See Appendix E for the full text of SSA\xe2\x80\x99s comments.\n\nOIG RESPONSE\n\nWe encourage the Agency to move quickly to implement Recommendations 1, 2, and 3\nonce the CIO has the opportunity to evaluate the issues addressed in the report. The\nimplementation of these recommendations will help ensure a more efficient and\neffective management of the Agency\xe2\x80\x99s information security program.\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                iii\n\x0c                                                                    Table of Contents\n                                                                                                             Page\n\nINTRODUCTION.....................................................................................................1\n\nRESULTS OF REVIEW ..........................................................................................3\n\nFully Implemented Recommendations ....................................................................4\n\n    \xef\x82\xb7    Prior Recommendation 2..............................................................................4\n    \xef\x82\xb7    Prior Recommendation 4..............................................................................4\n\nPartially Implemented Recommendations ...............................................................5\n\n    \xef\x82\xb7    Prior Recommendation 1..............................................................................5\n    \xef\x82\xb7    Prior Recommendation 3............................................................................13\n    \xef\x82\xb7    Prior Recommendation 5............................................................................13\n\nCONCLUSION AND RECOMMENDATIONS .......................................................16\n\nAPPENDICES\n\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Federal Information Security Management Act\n             Requirements Related to Security Management Structure\n\nAPPENDIX D \xe2\x80\x93 Current Social Security Administration Security Management Structure\n             and the Office of the Inspector General Recommended Staff Functions\n             and Reporting Lines\n\nAPPENDIX E \xe2\x80\x93 Agency Comments\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)\n\x0c                                                                        Introduction\nOBJECTIVE\nOur objective was to determine whether the Social Security Administration (SSA) had\nimplemented the recommendations in our June 2001 report, Compliance of the Social\nSecurity Administration\xe2\x80\x99s Computer Security Program with Applicable Laws and\nRegulations (A-13-98-12044).\n\nBACKGROUND\nOur 2001 audit examined whether SSA\xe2\x80\x99s computer security program1 complied with the\nComputer Security Act of 1987 (CSA), Government Information Security Reform Act of\n2000 (GISRA), and other applicable laws, regulations, and Federal guidance. Our\nJune 2001 report stated that SSA lacked a strong framework for overall security\nadministration, policy development, and policy implementation. To address these\nfindings, we recommended that SSA:\n\n1. Centralize its systems security management structure to comply with GISRA and\n   other applicable laws to ensure all key security components responsible for agency-\n   wide security policy and administration report directly to the Chief Information Officer\n   (CIO).\n\n2. Develop a more inclusive system security plan for the mainframe and distributed\n   computing environments according to National Institute of Standards and\n   Technology (NIST) Special Publication (SP) 800-18.\n\n3. Implement a global e-mail and other appropriate methods for broadcasting computer\n   incidents. This would include automated calling process and office intercom\n   systems.\n\n4. Develop sanctions for users who cause system disruptions or share passwords.\n\n5. Develop a computer system security manual consistent with guidance provided by\n   NIST, and incorporate in it all existing computer security policies.\n\nThe Agency agreed or partially agreed with all these recommendations. Since our\n2001 audit, there have been major changes and revisions in Federal laws, regulations,\n\n\n1\n  During the 2001 audit, the CSA contained the major criteria related to the security of sensitive\ninformation in computer systems. We used the term \xe2\x80\x9ccomputer security program\xe2\x80\x9d to describe the security\nframework and requirements. Since 2001, GISRA and the Federal Information Security Management\nAct, adopted the term \xe2\x80\x9cagency-wide information security program\xe2\x80\x9d that is used in this report. For the\nsame reason, the term \xe2\x80\x9ccomputer security\xe2\x80\x9d has been replaced by \xe2\x80\x9cinformation security\xe2\x80\x9d to include both\ninformation systems and information.\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                                1\n\x0cand requirements for agency-wide information security programs.2 In this review, we\nexamined and determined whether SSA implemented our recommendations and\ncomplied with the current Federal requirements in the related areas.\n\nCHANGES IN LAWS, REGULATIONS AND REQUIREMENTS\n\nSince our 2001 audit, the Federal Information Security Management Act of 2002\n(FISMA) repealed the CSA,3 and GISRA expired in November 2002. As a result,\nFISMA became the overall criteria for agency-wide information security programs for\nFederal agencies. In addition, NIST revised and issued new security guidance that\nFederal agencies are required to comply with under FISMA.\n\nFISMA requires that Federal agencies develop, document, and implement an agency-\nwide information security program to provide security for the information and information\nsystems that support the agency\xe2\x80\x99s operations and assets.4 FISMA also requires that a\nFederal agency head delegate authority to the agency CIO to ensure compliance with\nFISMA\xe2\x80\x99s requirements.5 The CIO should appoint a senior agency information security\nofficer6 to head an office with the mission and resources to assist in ensuring agency\ncompliance with FISMA.7\n\nIn addition to specifying responsibilities of the CIO and the senior agency information\nofficer, FISMA also requires that an agency-wide information security program include\nperiodic risk assessments, a risk management process, security planning, periodical\nsecurity evaluations, security training, a security deficiency remediation process, an\nincident response process, and continuity of operations.8 See Appendix C for more\ndetails on FISMA requirements related to security management structure.\n\n\n\n\n2\n    See Footnote 1.\n3\n    Pub. L. No. 107-347, Title III, Section 305 (a).\n4\n    Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (b), 44 U.S.C. \xc2\xa7 3544 (b).\n5\n    Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (a)(3), 44 U.S.C. \xc2\xa7 3544 (a)(3).\n6\n    SSA\xe2\x80\x99s Chief Information Security Officer is the designated Senior Agency Information Security Officer.\n7\n    Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (a)(3)(A), 44 U.S.C. \xc2\xa7 3544 (a)(3)(A).\n8\n    Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (b), 44 U.S.C. \xc2\xa7 3544 (b).\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                                        2\n\x0c                                                  Results of Review\nWhile SSA considered the five recommendations in our 2001 audit to be implemented\nand closed, based on our follow-up review, we believe there are still steps that need to\nbe taken to fully address three of our prior recommendations. Specifically, we\ndetermined that SSA implemented prior Recommendations 2 and 4 to develop (1) a\nmore inclusive system security plan for the mainframe and distributed computing\nenvironments and (2) sanctions for users who cause systems disruptions. However,\nSSA had not fully addressed the prior Recommendations 1, 3, and 5 to (1) centralize its\nsecurity management structure, (2) implement a global system user notification\nmechanism for imminent security incidents, and (3) develop a computer system security\nmanual to incorporate all related policies. Despite the Agency\xe2\x80\x99s efforts to address the\nprior recommendations, we found the following:\n\n\xef\x82\xb7 SSA continued to have a decentralized/fragmented information security management\n  structure.\n\xef\x82\xb7 The Office of the CIO (OCIO) did not have sufficient delegated authority and\n  resources to carry out its responsibilities for SSA\xe2\x80\x99s information security program.\n\xef\x82\xb7 SSA had not sufficiently documented its policy and procedures to ensure all systems\n  users receive timely notification of imminent security incidents.\n\xef\x82\xb7 SSA\xe2\x80\x99s Information Systems Security Handbook (ISSH) did not cover all security\n  areas, and contained outdated and inaccurate information.\n\nThe following sections describe the status of SSA\xe2\x80\x99s implementation of our 2001\nrecommendations as well as any additional issues identified during this review. Where\nwarranted, we made additional recommendations to assist SSA in strengthening its\nagency-wide information security management posture. Given the inherent importance\nof the information security management structure, we expanded our work beyond just\nassessing SSA\xe2\x80\x99s implementation of our prior recommendations. See Appendix B for\nmore details on our scope and methodology.\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                   3\n\x0cFULLY IMPLEMENTED RECOMMENDATIONS\n\nPrior Recommendation 2: Develop a more inclusive system security plan for the\nmainframe and distributed computing environments according to NIST SP 800-18.\n\nOur 2001 review found that SSA\xe2\x80\x99s System Security Plan (SSP) for the Enterprise-Wide\nMainframe and Distributed Network Telecommunications Services System did not fully\nmeet Office of Management and Budget (OMB) or NIST requirements. We reported the\nSSP\n\n\xef\x82\xb7    did not disclose vulnerabilities;\n\xef\x82\xb7    referred to past risk assessments when no risk assessments had been performed\n     within the prior 5 years; and\n\xef\x82\xb7    did not include some elements as required by OMB and NIST.\n\nAs part of our Fiscal Year 2008 FISMA review,9 the Office of the Inspector General\n(OIG) and its contractor reviewed the SSPs and other Certification and Accreditation\n(C&A) documentation10 for the following four SSA major applications and systems:\n\n\xef\x82\xb7    Enterprise-Wide Mainframe and Distributed Network Telecommunications Services\n     System;\n\xef\x82\xb7    Electronic Disability System;\n\xef\x82\xb7    Integrated Client Database; and\n\xef\x82\xb7    Earnings Records Maintenance System.\n\nWe found SSA had performed risk assessments and developed SSPs for these\nsystems. We concluded that SSA\xe2\x80\x99s C&A documentation, including the risk\nassessments and SSPs, generally addressed all elements as recommended by OMB\nand NIST requirements. As a result, we consider this recommendation implemented.\n\nPrior Recommendation 4: Develop sanctions for users who cause system\ndisruptions or share passwords.\n\nOur 2001 review reported that while SSA\xe2\x80\x99s security program described sanctions for\nunauthorized systems access, it did not document sanctions for users who disrupt\nsystem operations, cause systems to shutdown, or share passwords. SSA originally\nagreed with the recommendation but after further review of its policies, determined that\na separate set of sanctions did not need to be developed to implement this\nrecommendation.\n\n9\n SSA OIG, Fiscal Year 2008 Evaluation of the Social Security Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Ac (A-14-08-18063), September 2008.\n10\n C&A is the authorizing process for the use of information systems. SSA\xe2\x80\x99s C&A documentation for a\nmajor application or system includes a System Security Plan, Risk Assessment Report, and Security\nControl Assessment Report.\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                               4\n\x0cSSA\xe2\x80\x99s Rules of Behavior for Users and Managers of SSA's Automated Information\nResources describe expected behavior for all SSA personnel, contractors, and external\nusers of SSA\xe2\x80\x99s information systems. It states, \xe2\x80\x9cFailure to follow these prescribed rules,\nand/or misuse of information resources, can lead to suspension, termination or other\nadministrative or legal actions based on the seriousness of the violation.\xe2\x80\x9d As a result,\nwe concluded that SSA had addressed the intent of this recommendation.\n\nPARTIALLY IMPLEMENTED RECOMMENDATIONS\nPrior Recommendation 1: Centralize the systems security management structure\nto comply with GISRA and other applicable laws to ensure that all key security\ncomponents responsible for agencywide security policy and administration\nreport directly to the CIO.\n\nIn our 2001 review, we found the security and information technology (IT) management\ncomponents under various Deputy Commissioner (DC) offices did not directly report to\nthe CIO.\n\nWe provided the following diagram to SSA as an example of the proposed staff and\nfunctions that we recommended as direct reports to the OCIO. It should be noted that\nsome of the acronyms for components that existed when we issued the 2001 report\nhave now been re-titled. Please see the footnote below.11\n\n\n\n\n11\n  The diagram is documented in our 2001 report, page 7. Information Technology Systems Review Staff\n(ITSRS) was re-titled the Office of Information Technology Investment Management. The Deputy\nCommissioner for Finance, Assessment, and Management (DCFAM) has been re-titled the Deputy\nCommissioner for Budget, Finance and Management. SSA Information Systems Security Officer\n(SSAISSO) was responsible for developing agency-wide information security policies and procedures and\nensuring proper implementation of the policies. SSA\xe2\x80\x99s Chief Information Security Officer resumed the\npolicy-making responsibilities of the prior SSAISSO. The Office of Information Systems Security was\nre-titled the Office of Information Technology Security Policy.\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                               5\n\x0c                                       Diagram 1\n\n\n\n\nThe Agency agreed in principle with the recommendation but did not agree to move all\nfunctions that we recommended under the direct supervision of the CIO. Instead, SSA\nresponded that it would review the capacity of the OCIO to directly oversee computer\nsecurity and asset management functions.\n\nSince our 2001 audit, SSA moved the CIO from the immediate Office of the\nCommissioner and created the new OCIO. The OCIO was established as an\nAgency-level office whose head is appointed by the President or by the Commissioner,\nif delegated by the President, for a 6-year period. At the same time, SSA abolished the\nInformation Technology Systems Review Staff and the Office of Information Systems\nSecurity in DCFAM and transferred the policy functions of both to the OCIO. In\naddition, SSA established two major offices that report directly to the CIO\xe2\x80\x94the Office of\nInformation Technology Investment Management (OITIM) and the Office of Information\nTechnology Security Policy (OITSP). OITIM is responsible for SSA\xe2\x80\x99s information\ntechnology (IT) capital investment planning and investment control process. OITSP\nestablishes agency-wide security policies and manages the reporting and evaluation\nprocesses for SSA\xe2\x80\x99s FISMA compliance. SSA also established the position of the Chief\nInformation Security Officer (CISO) to head OITSP. See the following diagram for the\ncurrent information security management structure (see a detailed description of the\ndiagram in Appendix D).\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                   6\n\x0c                                                 Diagram 212\n                                       SSA Security Management Structure and\n                                     Network of Security Components and Officers\n\n\n            CIO                 DC               DC             DC                       DC             All Other DCs\n                            for Systems      for Budget         for                  for Human           and Agency\n                                            Finance and      Operations              Resources          Level Officers\n                                            management\n\n\n           CISO              Office of        Office of       Office of                Office of         Other DC-\n                             Systems       Budget, Finance   Operations                 Human           and Agency-\n           OITSP                                and                                    Resources        level Offices\n                            OTSO and        Management         DSSPI\n                             OESAE/                                                         OPE/\n                              DISA          OEIE and OFM                                   CPSPM\n\n                                                                 Component                             Component\n                                                                   Security                            Security\n                                                                  Officers at                          Officers\n                            Component        Component           headquarters\n                             Security         Security            and Center\n                             Officers         Officers           Directors for             Component\n                                                                 Security and               Security\n                                                                Integrity in all            Officers\n                                                                    regions\n           Bi-weekly IT\n          Security Policy\n           and Strategy                                        Local               State\n             Advisory                                         Security             DDSs\n           Meetings (on                                       Officers\n          security issues\n           and policies)\n\n\n\nIn the diagram above, the offices depicted in red perform some aspect of information\nsecurity management. Because SSA did not fully address the recommendation to\ncentralize its information security management structure, it continues to have a\ndecentralized/fragmented information security management structure without a single\nmanagement focal point. Furthermore, we determined the OCIO does not have\nsufficient delegated authority. As detailed in the section on SSA\xe2\x80\x99s Decentralized\nSecurity Program Structure Lacks a Single Management Focal Point, we illustrate the\ndecentralized roles and responsibilities that yield a stove-piped approach to security\nwith limited communication.\n\nThe Chairman of the Social Security Advisory Board, in recent testimony before the\nSubcommittee on Social Security, Committee on Ways and Means, U.S. House of\nRepresentatives,13 suggested that the recently identified issues with SSA\xe2\x80\x99s processing\n\n\n12\n  For additional acronyms in Diagram 2: OTSO, Office of Telecommunications and Systems Operations;\nOESAE/DISA, Office of Enterprise Support, Architecture and Engineering/Division of Information Security\nand Assurance; OEIE, Office of Electronic Information Exchange; OFM, Office of Facilities Management;\nDSSPI, Division of Systems Security and Program Integrity; OPE/CPSPM, Office of Personnel/Center for\nPersonnel Security and Project Management; DDS, Disability Determination Services.\n13\n  Statement of Sylvester J. Schieber, Chairman, Social Security Advisory Board to the Subcommittee on\nSocial Security House Committee on Ways and Means, U.S. House of Representatives, Oversight\nHearing on the Progress made by the Social Security Administration in Implementing the American\nRecovery and Reinvestment Act of 2009, April 28, 2009.\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                                                    7\n\x0ccenter14 are rooted in SSA\xe2\x80\x99s decentralized IT investment governance process, exposing\nSSA\xe2\x80\x99s system infrastructure to great risk. The Chairman stated SSA\xe2\x80\x99s decentralized IT\ngovernance process has resulted in a dilution of ownership and management of the\nAgency\xe2\x80\x99s overall IT process. The Board believed that it would take strong leadership for\nthe Agency\xe2\x80\x99s IT governance to be more productive and ensure SSA\xe2\x80\x99s infrastructure is\nnot exposed to such risk again. The Board recommended that SSA restructure its\ngovernance process and centralize overall responsibility for all IT processes.\n\nLikewise, we believe it is critical that SSA consider a centralized security management\nstructure that provides the CIO with sufficient delegated authority and resources to fulfill\nhis responsibilities. Although SSA has managed to comply with certain security-related\nrequirements, there are opportunities to improve the efficiency and effectiveness of the\noverall program. We believe a centralized approach to security management would be\nin line with the current Agency initiative of adopting a more integrated and seamless\napproach to systems development to address the growing needs of the Agency in an\neffective and efficient manner. To that end, we reaffirm our original recommendation for\nSSA to centralize its information security management structure.\n\nAs detailed in the section on SSA\xe2\x80\x99s CIO does not have Sufficient Delegated Authority\nand Resources to Carry Out Required Security Monitoring and Management\nResponsibilities, we discuss how resource levels impact the CIO security functions. We\nbelieve it is critical that these functions receive the resources needed to carry out\nsecurity management and oversight responsibilities. The following sections describe\nthe status of SSA\xe2\x80\x99s decentralized information security management structure and the\nneed for additional resources in the CIO functions.\n\nSSA\xe2\x80\x99s Decentralized Security Program Structure Lacks a Single Management\nFocal Point\n\nA Government Accountability Office (GAO) survey of leading organizations found that a\ncentral management focal point is one of the principles embraced by all the\norganizations. GAO identified five risk management principles that provided a\nframework for an effective Information Security Program.15\n\n\n\n\n14\n   The Board stated that the current 30-year old data processing center, the National Computer Center\n(NCC), would no longer be viable by the end of 2012. A new NCC will take 4 to 5 years to build.\nHowever, by 2013, the second data center designed as a fully functional co-processing facility to the NCC\nis expected to have full backup capacity for the NCC.\n15\n GAO Executive Guide: Information Security Management, Learning from Leading Organizations,\nGAO/AIMD-98-68, May 1998, pages 17-18.\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                                  8\n\x0c                                       Diagram 3\n\n\n\n\nSSA\xe2\x80\x99s practices in information security risk management generally contain the elements\nidentified in the model, with the exception of the central management focal point. At\nSSA, tasks in the risk management cycle in the above diagram are performed by\ndifferent components in different DC-level offices without a central reporting structure.\nThe following describes the key offices and officers who have security responsibilities\nand play significant roles in SSA\xe2\x80\x99s agency-wide security program.\n\xef\x82\xb7   The Office of Electronic Information Exchange (OEIE), within the Office of Budget,\n    Finance and Management (OBFM), is responsible for security administrative\n    controls, security training, managing on-site system reviews, and managing and\n    directing a comprehensive security compliance and monitoring program. OEIE\n    develops security procedures and requirements that are followed by SSA\n    components and security officers agencywide and is responsible for the security\n    program for SSA\xe2\x80\x99s data exchange programs.\n\xef\x82\xb7   The Office of Telecommunications and Systems Operations (OTSO), within the\n    Office of Systems (Systems), is responsible for technical controls and requirements\n    development, implementation, and monitoring; identifying and providing IT security\n    incident data to the CISO for external reporting; and planning, executing, and\n    maintaining SSA\xe2\x80\x99s disaster recovery program for critical information systems.\n\xef\x82\xb7   The Division of Systems Security and Program Integrity (DSSPI), within the Office of\n    Operations (Operations), manages a national security program with different levels\n    of security offices and officers that cover all SSA regional offices, field offices,\n    teleservice centers, program service centers, and all Headquarters Operations\n    components.\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                     9\n\x0c\xef\x82\xb7   Component Security Officers are responsible for ensuring compliance with security\n    requirements for DC-level offices and Agency-level offices.\n\nThese components and security officers form the network of SSA\xe2\x80\x99s security program but\ndo not report to the CIO. In addition, some important security functions and programs\nmanaged and performed by these components and security officers do not involve the\nOCIO. For example, the Onsite Security Control and Audit Review program that\nincludes systems security and physical security of many operating units, field offices,\nand program service centers, does not involve the OCIO. Not only is there no OCIO\ninvolvement, the results of these reviews are not shared with OCIO. The security\ncomponents and security officers of the national security program, managed by\nOperations, that handle daily security issues and ensure security compliance do not\nreport to the CIO. Furthermore, the security components in OTSO in charge of\ntechnical controls implementation and monitoring do not report to the CIO.\n\nAlthough the OCIO is responsible for the Agency\xe2\x80\x99s information security program, the\nCIO\xe2\x80\x99s authority is inherently limited by the current security management structure.\nUnder the current structure, the CIO is only responsible for security policy-making and\nFISMA reporting. The CIO does not oversee and monitor agency-wide compliance with\nFISMA and other security standards and requirements. Each DC and Agency-level\noffice is responsible for compliance with all security requirements for their respective\ncomponent but does not periodically report to the CIO. Our review found that none of\nthe security components or offices was responsible for ensuring agency-wide security\ncompliance. As a result, SSA\xe2\x80\x99s security management structure was fragmented and not\nas effective as it could be.\n\nAlthough the CIO is, by law, responsible for ensuring agency-wide security compliance,\nthe CIO does not have the delegated authority, resources, and staff with necessary\nexpertise to conduct sufficient compliance monitoring activities. Even within the security\nfunctions performed by OCIO, it largely relies on other components to cooperate and\nprovide data, resources, and expertise.\n\nAs a result, the OCIO experienced many challenges that included the following:\n\xef\x82\xb7   Setting security policies and changes in security environment or controls is a time-\n    consuming negotiation process that may take months to years to obtain security\n    components\xe2\x80\x99 cooperation and agreement on security policies and issues.\n\xef\x82\xb7   The OCIO does not have the capability of adequately and timely reporting to higher\n    oversight authorities on security issues and major incidents.\n\xef\x82\xb7   The OCIO cannot ensure an effective agency-wide security program, given the\n    limited authority and resources.\n\xef\x82\xb7   The OCIO does not have sufficient access to critical data, reports, and\n    documentation to perform their duties.\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                      10\n\x0cTo fully comply with FISMA and other applicable laws and regulations, SSA needs to\nhave all staff responsible for developing agency-wide security policy report to the CIO.\nStaff responsible for administering component information security policy related to day-\nto-day operations and consistent with agency-wide security policy should indirectly\nreport to the CIO through their respective DC or equivalent. We suggest the following\nreporting of staff and functions to the CIO.\n\n                 Recommended Staff Functions and Reporting Lines\n\n                                                                  Staff Responsible for\n                                                                  Implementing Agency-wide\n                                                                  Security Program\n     Staff Responsible for        Chief Information\n     Personnel Security and           Officer/\n     Suitability Program          Chief Information               Staff Responsible for\n                                   Security Officer               Developing and\n                                                                  Implementing Physical\n                                                                  Protection Requirements for\n    Staff Responsible for                                         SSA Facilities\n    Information Assurance\n\n\n\n\n      IT Investment             Staff Responsible for               Staff Responsible for\n      Management Staff          Information Security                Continuity of Operations\n                                Policy Including Personnel          Program for Information\n                                and Physical Security               Systems\n                                Policy Development\n\n\n                                                       ----- Indirect Reporting to CIO\n                                                       ___ Direct Reporting to CIO\n\n\n\nThis proposed security management structure would best position SSA to implement\nand maintain an agency-wide security program, especially with increased public access\nto Social Security services via the Internet and growing systems interconnectivity. Solid\nlines show direct reporting to the CIO, while dotted lines show indirect reporting to the\nCIO through an organization\xe2\x80\x99s respective DC or equivalent. This diagram does not\ninclude staff responsible for network operations. For more details on the functions\nperformed by staff in this diagram, see Appendix D.\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                           11\n\x0c\xe2\x80\x9cFor a central computer security program to be effective, it should be an established\npart of organization management.\xe2\x80\x9d16 The NIST guidance states that a \xe2\x80\x9c. . . well\nestablished program will have a program manager recognized within the organization as\nthe central computer security program manager.\xe2\x80\x9d17 \xe2\x80\x9cIn addition, the program will be\nstaffed with able personnel, and links will be established between the program\nmanagement function and computer security personnel in other parts of the\norganization.\xe2\x80\x9d18 SSA needs to have a single authority and a driving force to ensure the\neffectiveness of its security program. We continue to recommend that SSA centralize\nits management structure to ensure the effectiveness of its security program.\n\nSSA\xe2\x80\x99s CIO Does Not Have Sufficient Delegated Authority and Resources to Carry\nOut Required Security Monitoring and Management Responsibilities\n\nAccording to FISMA, each agency is required to implement an agency-wide information\nsecurity program to provide security for its information and information systems that\nsupport the operations and assets of the agency.19 The CIO is responsible for ensuring\nagency compliance with FISMA and designating a senior agency information security\nofficer to head an office with the mission and resources to assist the CIO in ensuring\nagency compliance with FISMA.20 Furthermore, NIST guidance states that the security\nprogram should also address compliance with national policies and requirements as\nwell as organization-specific requirements.21\n\nAlthough SSA has substantially complied with FISMA, SSA\xe2\x80\x99s CIO does not have\nsufficient delegated authority, resources, and expertise to fulfill all required FISMA\nresponsibilities. The CIO\xe2\x80\x99s delegated authority and functions are limited to setting\nagency-wide security policies and FISMA-related testing, evaluation, and reporting.\nExcept for the functions OCIO retains, all FISMA IT security program-related functions\nand responsibilities are delegated to OBFM, Systems, Operations, and other\ncomponents. The CIO and CISO currently have a security staff of eight, supplemented\nwith approximately six contractors. At this staffing level, some functions defined and\nimplied by FISMA as major responsibilities of the CIO are not performed by the OCIO at\nSSA. For example, SSA\xe2\x80\x99s OCIO does not\n\xef\x82\xb7      manage, direct, or monitor SSA\xe2\x80\x99s agency-wide security program as a whole;\n\xef\x82\xb7      run an agency-wide compliance monitoring program to ensure compliance with\n       FISMA and other security standards and requirements;\n16\n  NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995,\nsection 6.3, page 51.\n17\n     Id.\n18\n     Id.\n19\n     Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (b), 44 U.S.C. \xc2\xa7 3544 (b).\n20\n     Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (b), 44 U.S.C. \xc2\xa7 3544 (b).\n21\n     NIST, supra, section 6.3, page 52.\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                       12\n\x0c\xef\x82\xb7    have authority over personnel security, physical security, and security of SSA\xe2\x80\x99s data\n     exchange program; or\n\xef\x82\xb7    lead SSA\xe2\x80\x99s Continuity of Operations program for information systems.\n\nSSA should assess the appropriate staffing level for the OCIO commensurate with its\nsecurity responsibilities, and provide sufficient resources to the OCIO so it can maintain,\nmanage, and monitor a security program that covers about 64,000 SSA employees and\n25,000 contractors. In addition, the CIO does not have the level of delegated authority\ncommensurate with the CIOs responsibilities. For example, the security component\nwithin OBFM, OEIE, chairs SSA\xe2\x80\x99s Critical Infrastructure Protection Committee and\nserves as the representative for its entity-wide security program22 under the annual\nfinancial statement audit. The CIO should have sufficient delegated authority, staff, and\nresources to implement and maintain an agency-wide compliance monitoring program\nand to fulfill other security management responsibilities.\n\nPrior Recommendation 3: Implement a global e-mail and other appropriate\nmethods for broadcasting computer incidents. This would include an automated\ncalling process and office intercom systems.\n\nOur 2001 review reported that during the \xe2\x80\x9cI LOVE YOU\xe2\x80\x9d virus attack, SSA was unable\nto immediately inform all SSA employees of the attack and had to temporarily shut down\nAgency e-mail systems to prevent the spread of the virus. While SSA agreed with, and\nhad taken steps to, implement our recommendation, we concluded that SSA had not\nfully implemented this recommendation.\n\nSSA stated it uses a broadcasting tool as well as global e-mail messages to inform\nemployees of outages, system updates, and security incidents. However, we found that\nSSA has not sufficiently documented these procedures in the ISSH and related incident\nhandling and reporting guide.\n\nWe recommend that SSA properly document the incident broadcasting process so the\npolicy and procedures are readily available for all SSA users, and that all SSA systems\nusers are timely and properly informed when certain computer incidents occur.\n\nPrior Recommendation 5: Develop a computer system security manual consistent\nwith guidance provided by NIST and incorporate in it all existing computer\nsecurity policies.\n\nIn our 2001 report, we found SSA did not have all security policies and procedures\nintegrated into one comprehensive document. SSA agreed with the recommendation\nand has made improvements. Since our 2001 review, SSA further integrated security\npolicy into its ISSH by including electronic links and references to SSA management\nand operations manuals and Federal laws, regulations, and guidance. However ISSH\n\n22\n  The GAO Federal Information System Controls Audit Manual uses the term entity-wide security\nprogram rather than agency-wide security program.\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                           13\n\x0cdoes not include all security-related policies. For example, ISSH does not include\nSSA\xe2\x80\x99s security policy or references related to its State data exchange programs, State\nDisability Determination Services, and physical and facility protection. ISSH is also not\nclear about SSA\xe2\x80\x99s policy on timely informing all employees and systems users about\nmalicious security incidents. We concluded that SSA had not fully addressed our\nrecommendation.\n\nWhile conducting this review, we identified the following areas where SSA can further\nimprove its current ISSH and security program documentation:\n\n1. SSA Should Update its Agency-Wide Information Security Program Plan\n\nSSA has referred to the ISSH as its documented agency-wide security program.\nHowever, ISSH does not include an agency-wide master plan that documents how SSA\nprotects its information and information systems. SSA\xe2\x80\x99s OCIO had posted an IT\nSystems Security Plan on the OITSP website. However, this document had not been\nupdated to reflect SSA\xe2\x80\x99s current agency-wide security program plan.\n\nSSA should have a written plan that clearly describes its information security program in\naddition to the policies and procedures that support the program. During this review, we\nfound the OCIO is drafting an IT Security Program Plan.\n\n2. Roles and Responsibilities are not Defined Clearly in the ISSH Chapters\n\nEach chapter of the ISSH has a section called Roles and Responsibilities that lists\ncomponents, security officers, managers, and users who have specific responsibilities\nfor the subject matter of the chapter through electronic links to general descriptions of\ntheir security roles and responsibilities. However, ISSH did not clearly delineate their\nroles and responsibilities directly related to the chapter. For example, the chapter on\nSystems Access Policy lists OITSP as one of the components that has specific\nresponsibilities by providing an electronic reference link; however, it does not link to a\ndescription of specific access control responsibilities for OITSP.\n\nFederal guidance requires that security responsibilities be clearly delineated and\nspecifically assigned to the organization elements and officials responsible for the\nimplementation and continuity of the computer security policy.23 SSA needs to provide\na more specific description of what responsibilities the security components and officers\nhave in the security areas discussed in each ISSH chapter.\n\n3. ISSH Needs to be Revised and Updated with the Most Current and Accurate\n   Information\n\n\xef\x82\xb7     The Security Organizational Structure diagram documented in Chapter 1 does not\n      reflect the current authority structure of SSA\xe2\x80\x99s security management program. For\n      example, the Center Directors for Integrity and Security report to the Assistant\n23\n     NIST, supra, section 5.1.1, page 36.\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                        14\n\x0c    Regional Commissioners in Operations. However, the ISSH diagram indicates they\n    report to OEIE in OBFM. Further, none of the security components directly report to\n    the OCIO, as indicated in the diagram.\n\n\xef\x82\xb7   The ISSH contains old component names, outdated guidance, and duplicate\n    information.\n\nSSA should review the current ISSH to ensure it contains the most current and accurate\ninformation.\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                15\n\x0c                                                   Conclusion and\n                                                 Recommendations\nSSA has taken some actions to address the five recommendations from our\n2001 report. Two recommendations were fully implemented and partial corrective\naction has been taken on the remaining three. Based on our review of the current\nguidance on information security, we believe a centralized information security\nmanagement structure will better position the Agency to effectively manage and monitor\nits agency-wide information security program. As such, we reaffirm the merits of our\nprevious Recommendation 1 and recommend that SSA:\n\n1. Centralize its security management structure to ensure a coordinated approach to its\n   agency-wide information security program.\n2. Clearly delineate roles, responsibilities, and lines of communication that report to a\n   single management focal point.\n\nWe have also revised previous, or included new recommendations to ensure full\ncompliance with our prior recommendation and/or to address new issues we identified\nduring this audit, as set forth below.\n\n3. Ensure the CIO has sufficient delegated authority and resources to fulfill required\n   security responsibilities according to applicable laws, regulations, and guidance.\n4. Update the agency-wide Information Security Program Plan.\n5. As appropriate, ensure written polices and procedures require notification of all\n   Agency systems users for certain computer incidents.\n6. Update the ISSH with the most current and accurate information, and consider\n   further delineating security roles and responsibilities of Agency components and\n   security officers related to the subject matter in each chapter. SSA should include\n   all security policies or references in the ISSH.\n\nAGENCY COMMENTS\nSSA agreed with Recommendations 4, 5, and 6, but deferred responding to\nRecommendations 1, 2, and 3 until the CIO has the opportunity to review the issues\ndiscussed in the report. See Appendix E for the full text of SSA\xe2\x80\x99s comments.\n\nOIG RESPONSE\nWe encourage the Agency to move quickly to implement Recommendations 1, 2, and 3\nonce the CIO has the opportunity to evaluate the issues addressed in the report. The\nimplementation of these recommendations will help ensure a more efficient and\neffective management of the Agency\xe2\x80\x99s information security program.\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                       16\n\x0c                                         Appendices\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)\n\x0c                                                                        Appendix A\n\nAcronyms\n C&A              Certification and Accreditation\n CIO              Chief Information Officer\n CISO             Chief Information Security Officer\n CPSPM            Center for Personnel Security and Project Management\n CSA              Computer Security Act of 1987\n CSI              Center for Security and Integrity\n CSO              Component Security Officer\n DC               Deputy Commissioner\n DCFAM            Deputy Commissioner for Finance, Assessment and Management\n DDS              Disability Determination Services\n DISA             Division of Information Security and Assurance\n DSSPI            Division of Systems Security and Program Integrity\n FISMA            Federal Information Security Management Act of 2002\n GAO              Government Accountability Office\n GISRA            Government Information Security Reform Act of 2000\n ISSH             Information Systems Security Handbook\n IT               Information Technology\n ITSRS            Information Technology Systems Review Staff\n NCC              National Computer Center\n NIST             National Institute of Standards and Technology\n OBFM             Office of Budget, Finance and Management\n OCIO             Office of the Chief Information Officer\n ODD              Office of Disability Determinations\n OEIE             Office of Electronic Information Exchange\n OESAE            Office of Enterprise Support, Architecture and Engineering\n OFM              Office of Facilities Management\n OIG              Office of the Inspector General\n OITIM            Office of Information Technology Investment Management\n OITSP            Office of Information Technology Security Policy\n OMB              Office of Management and Budget\n OPE              Office of Personnel\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)           A-1\n\x0c Operations       Office of Operations\n OTSO             Office of Telecommunications and Systems Operations\n Pub. L. No.      Public Law Number\n SP               Special Publication\n SSA              Social Security Administration\n SSAISSO          SSA Information Systems Security Officer\n SSP              System Security Plan\n Systems          Office of Systems\n U.S.C.           United States Code\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)   A-2\n\x0c                                                                        Appendix B\n\nScope and Methodology\nOur objective was to determine whether the Social Security Administration (SSA)\nimplemented the recommendations in our June 2001 report, Compliance of the Social\nSecurity Administration\xe2\x80\x99s Computer Security Program with Applicable Laws and\nRegulations (A-13-98-12044).\n\nThe applicable laws for agency-wide information security programs have changed since\nour 2001 audit. Our current audit was conducted according to the security framework\nand requirements established by and according to the Federal Information Security\nManagement Act of 2002 and related Federal guidance.\n\nWe examined the prior report; compared the criteria used in the prior audit with current\ncriteria; interviewed SSA personnel currently responsible for addressing the prior\nrecommendations; and reviewed and examined SSA documentation for implementing\nour recommendations and related policy and procedures against Federal criteria.\n\nWe reviewed the following criteria:\n\xef\x82\xb7   Computer Security Act of 1987;\n\xef\x82\xb7   Government Information Security Reform Act of 2000;\n\xef\x82\xb7   Federal Information Security Management Act of 2002;\n\xef\x82\xb7   Office of Management and Budget Circular A-130, Management of Federal\n    Information Resources,11/28/2000, Appendix III, Security of Federal Automated\n    Information Resources;\n\xef\x82\xb7   National Institute of Standards and Technology (NIST) Special Publication (SP)\n    800-18, Guide for Developing Security Plans for Federal Information Systems,\n    Revision 1, February 2006;\n\xef\x82\xb7   NIST SP 800-53, Recommended Security Controls for Federal Information Systems,\n    Revision 2, December 2007;\n\xef\x82\xb7   NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook,\n    October 1995;\n\xef\x82\xb7   NIST SP 800-61, Computer Security Incident Handling Guide, Revision 1,\n    March 2008; and\n\xef\x82\xb7   Government Accountability Office, Executive Guide: Information Security\n    Management, Learning from Leading Organizations, GAO/AIMD-98-68, May 1998.\n\nWe contacted or interviewed SSA staff from the following components, or reviewed the\ncontents of their websites related to their security functions and security documents:\n\n\xef\x82\xb7   SSA Chief Information Security Officer;\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                 B-1\n\x0c\xef\x82\xb7   Office of the Chief Information Officer (OCIO), Office of Information Technology\n    Security Policy;\n\xef\x82\xb7   Office of Budget, Finance and Management, Office of Strategic Services, Office of\n    Electronic Information Exchange (OEIE);\n\xef\x82\xb7   Office of Operations, Office of Public Service and Operations Support, Division of\n    Systems Security and Program Integrity; and\n\xef\x82\xb7   Office of Systems, Office of Telecommunications and Systems Operations, Division\n    of Information Systems Security Administration and Operations.\n\nWe reviewed the following SSA documents:\n\xef\x82\xb7   Information Systems Security Handbook;\n\xef\x82\xb7   Rules of Behavior for Users and Managers of SSA's Automated Information\n    Resources, March 23, 2001;\n\xef\x82\xb7   SSA Memorandum, Sanctions for Unauthorized Systems Access Violations and\n    Guidance for Employees on How to Transact Social Security Business that Requires\n    System Access, May 15, 2008;\n\xef\x82\xb7   OCIO, Social Security Administration Information Technology Security Policy and\n    Standards Development and Issuance Process, August 14 2008;\n\xef\x82\xb7   OCIO, Social Security Administration Computer Security Incident Reporting Process,\n    August 14, 2008;\n\xef\x82\xb7   IT Systems Security Plan;\n\xef\x82\xb7   OEIE, Information Security Officer Guide, Revised November 2008; and\n\xef\x82\xb7   Onsite Security Control and Audit Review guides, chapters related to systems and\n    physical security.\n\nWe conducted this audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe the evidence obtained provides\na reasonable basis for our findings and conclusions based on our audit objectives. We\nconducted our field work at SSA Headquarters in Baltimore, Maryland, from\nDecember 2008 through May 2009.\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)               B-2\n\x0c                                                                                         Appendix C\n\nFederal Information Security Management Act\nRequirements Related to Security Management\nStructure\nSECURITY OFFICERS\xe2\x80\x99 ROLES AND RESPONSIBILITIES BY CURRENT LAW\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires that a\nFederal agency head delegate to the agency Chief Information Officer (CIO) the\nauthority to ensure compliance with FISMA requirements.1 The agency CIO has the\nfollowing responsibilities:2\n\n          1.   designating a senior agency information security officer;\n          2.   developing and maintaining an agency-wide information security program;\n          3.   developing and maintaining information security policies, procedures and\n               control techniques to address all applicable requirements;\n          4.   training and overseeing personnel with significant responsibilities for\n               information security;\n          5.   assisting senior agency officials concerning their responsibilities in providing\n               information security for the information and information systems that support\n               the operations and assets under their control (including through risk\n               assessments, assessment of levels of security necessary, cost-effective\n               measures to reduce risk to acceptable levels, and periodic testing and\n               evaluating security controls and techniques to ensure they are effectively\n               implemented);3 and\n          6.   reporting annually to the agency head on the effectiveness of the agency\xe2\x80\x99s\n               information security program.4\n\nThe senior agency information security officer should head an office with the mission\nand resources to assist in ensuring agency compliance with FISMA.5\n\n\n1\n    Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (a)(3), 44 U.S.C. \xc2\xa7 3544 (a)(3)\n2\n    Id.\n3\n  Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (a)(2) and (a)(3)(E), 44 U.S.C. \xc2\xa7 3544 (a)(2) and\n(a)(3)(E).\n4\n    Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (a)(3) and (5), 44 U.S.C. \xc2\xa7 3544 (a)(3) and (5).\n5\n    Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (a)(3)(A)(iv), 44 U.S.C. \xc2\xa7 3544 (a)(3)(A)(iv).\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                                          C-1\n\x0cFISMA DEFINITION OF AGENCY-WIDE INFORMATION SECURITY PROGRAM\n\nIn addition to specifying responsibilities of the CIO and senior agency information\nofficer, FISMA also defines what an agency-wide information security program should\ninclude.6\n\n      1.     Periodic risk assessments;\n      2.     Policies and procedures that: are based on a risk assessment, are cost\n             effective in reducing risk, and ensure information security is addressed through\n             the life cycle of each agency information system and compliance with\n             applicable security requirements;\n      3.     Subordinate plans for providing adequate information security for networks,\n             facilities, and systems or groups of information systems;\n      4.     Security awareness training for employees and contractors and other users of\n             information systems;\n      5.     Periodic testing and evaluation of the effectiveness of information security\n             policies, procedures, and practices (at least annually);\n      6.     A process for remedial actions to address security deficiencies in the\n             information security policies, procedures, and practices of the agency;\n      7.     Procedures for detecting, reporting, and responding to security incidents; and\n      8.     Plans and procedures to ensure continuity of operations for information\n             systems.\n\n\n\n\n6\n    Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (a)(3) and (b), 44 U.S.C. \xc2\xa7 3544 (a)(3) (b).\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                                        C-2\n\x0c                                                                        Appendix D\n\nCurrent Social Security Administration Security\nManagement Structure and the Office of the\nInspector General Recommended Staff\nFunctions and Reporting Lines\nThe Social Security Administration\xe2\x80\x99s (SSA) agency-wide security program is highly\ndecentralized with security responsibilities and functions conducted by several security\ncomponents and a network of security officers. None of the security components or\nsecurity officers is responsible for ensuring agency-wide compliance with the Federal\nsecurity requirements. Each Deputy Commissioner-level and Agency-level office is\nresponsible for its own compliance with all security requirements. The security\ncomponents and security officers report to their respective Deputy Commissioners (DC)\nand Agency-level officers, who do not report to the Chief Information Officer (CIO) for\nsecurity compliance and performance. See the following diagram for an overall\nmanagement structure of SSA\xe2\x80\x99s security program.\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                D-1\n\x0c                            SSA Security Management Structure and\n                          Network of Security Components and Officers\n\n\n    CIO                  DC            DC           DC                       DC         All Other DCs\n                    for Systems    for Budget,      for                  for Human           and\n                                  Finance and    Operations              Resources      Agency-Level\n                                  Management                                                Officers\n\n\n\n   CISO              Office of      Office of     Office of                Office of    Other DC- and\n                     Systems        Budget,      Operations                Human        Agency-Level\n   OITSP                          Finance and                             Resources        Offices\n                    OTSO and      Management       DSSPI\n                     OESAE/                                                 OPE/\n                      DISA        OEIE and OFM                             CPSPM\n\n                                                     Component                         Component\n                                                       Security                         Security\n                                                      Officers at                       Officers\n                    Component      Component        Headquarters\n                     Security       Security         and Center\n                     Officers       Officers         Directors for         Component\n                                                     Security and           Security\n                                                    Integrity in all        Officers\n                                                       regions\n   Bi-weekly IT\n  Security Policy\n   and Strategy                                     Local              State\n     Advisory                                      Security            DDSs\n   Meetings (on                                    Officers\n  security issues\n   and policies)\n\n\n\nOffice of the CIO, Office of Information Technology Security Policy (OITSP)\nheaded by SSA\xe2\x80\x99s Chief Information Security Officer (CISO) - In supporting the CIO,\nthe CISO and the OITSP are responsible for issuing security policies and Federal\nInformation Security Management Act of 2002 related testing, evaluation, and reporting.\nExcept for functions retained by CISO and OITSP, SSA delegates all remaining security\nprogram functions to other components. In other functional areas within SSA\xe2\x80\x99s security\nprogram, the CISO does not have authority and, for the most part, acts in a coordinating\nand supporting role. OITSP conducts limited monitoring activities through bi-weekly\nmeetings with security components to discuss security issues and policies.\n\nOffice of Budget, Finance and Management (OBFM), Office of Electronic\nInformation Exchange (OEIE) - Formerly known as the Office of Systems Security\nOperations Management, OEIE plays an important role in SSA\xe2\x80\x99s agency-wide security\nprogram. OEIE\xe2\x80\x99s agency-wide security responsibilities include: development of SSA's\nsecurity program requirements and procedures; implementation of governing directives\nin the area of systems security; administration of the Agency\xe2\x80\x99s access control program;\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                              D-2\n\x0cmanagement of an onsite systems review program and a comprehensive security\ncompliance and monitoring program; and providing direction to the Agency's security\nofficers.\n\nOEIE is also responsible for maintaining security policy documentation, providing\nsecurity training, implementing security requirements, and executing safeguards for\nSSA's State information exchange programs. OEIE chairs SSA\xe2\x80\x99s Critical Infrastructure\nProtection Committee and serves as the Agency representative for its entity-wide\nsecurity program for the annual financial statement audit. However, OEIE does not\nhave the responsibility to ensure security controls are implemented and enforced\nagency-wide.\n\nOBFM, Office of Facilities Management (OFM) - OFM directs SSA\xe2\x80\x99s physical and\nprotective security program and establishes policy to ensure the safety and security of\nSSA employees, visitors, and property.\n\nOffice of Operations (Operations), the Division of Systems Security and Program\nIntegrity (DSSPI) - DSSPI along with the regional Centers for Security and Integrity\n(CSI) are responsible for developing, coordinating, and implementing a comprehensive\nnational program for Operations to focus on systems security and programmatic fraud\nissues. This program covers all components within Operations including regional\noffices, program service centers, teleservice centers, field offices, and all Operations\nHeadquarters components. DSSPI and CSIs work with Local Security Officers at the\nfield office level regarding security issues.\n\nOffice of Systems (Systems), Office of Telecommunications and Systems\nOperations (OTSO) - OTSO is responsible for implementing technical security controls\nand procedures and SSA\xe2\x80\x99s Disaster Recovery planning, testing, and execution. OTSO\nalso monitors security controls and configurations for compliance and maintains the\ninformation system for cyber security incident identification and reporting. However,\nOTSO does not have agency-wide responsibility to ensure technical security\ncompliance.\n\nSystems, Office of Enterprise Support, Architecture and Engineering (OESAE),\nthe Division of Information Security and Assurance (DISA) - Within Systems,\nprovides comprehensive security services, solutions, and best practices that enhance\ninformation assurance and security for software applications assuring they are efficient,\nsecure, and compliant with Agency and Federal information system security\nrequirements.\n\nOffice of Human Resources, Office of Personnel (OPE), the Center for Personnel\nSecurity and Project Management (CPSPM) - CPSPM manages SSA's nationwide\nprograms for personnel security and suitability and national security for employees and\ncontractors. CPSPM is also responsible for policy development in the area.\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                  D-3\n\x0cComponent Security Officers (CSO) - Within SSA Headquarters, including all\nDC-level and Agency-level offices, CSOs are responsible for ensuring compliance\nwithin their respective components.\n\nOffice of Disability Determinations (ODD) - Within Operations, ODD coordinates and\ndistributes regulations and policy to the State Disability Determination Services (DDS).\nDDS management has overall responsibility for the security of their site and compliance\nwith established security policies and procedures. DDS management is also\nresponsible for notifying and reporting any security breach or incident to SSA offices\nwithin the region.\n\nRECOMMENDED STAFF FUNCTIONS AND REPORTING LINES\n\nWe recommended the following staff functions and reporting lines:\n\n                 Recommended Staff Functions and Reporting Lines\n\n                                                                   Staff Responsible for\n                                                                   Implementing Agency-wide\n                                                                   Security Program\n     Staff Responsible for         Chief Information\n     Personnel Security and            Officer/\n     Suitability Program           Chief Information               Staff Responsible for\n                                    Security Officer               Developing and\n                                                                   Implementing Physical\n                                                                   Protection Requirements for\n     Staff Responsible for                                         SSA Facilities\n     Information Assurance\n\n\n\n\n       IT Investment             Staff Responsible for                Staff Responsible for\n       Management Staff          Information Security                 Continuity of Operations\n                                 Policy Including Personnel           Program for Information\n                                 and Physical Security                Systems\n                                 Policy Development\n\n\n\n                                                       ----- Indirect Reporting to CIO\n                                                       ___ Direct Reporting to CIO\n\n\n\n\xef\x82\xb7   Staff Responsible for Implementing Agency-wide Security Program: DSSPI staff\n    within Operations and OTSO staff within Systems need to indirectly report to the\n    CIO.\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                            D-4\n\x0c\xef\x82\xb7   Staff Responsible for Developing and Implementing Physical Protection\n    Requirements for SSA Facilities: The facility management staff within OBFM need\n    to indirectly report to the CIO.\n\n\xef\x82\xb7   Staff Responsible for Continuity of Operations Program for Information Systems:\n    OTSO Disaster Recovery staff need to directly report to the CIO.\n\n\xef\x82\xb7   Staff Responsible for Information Security Policy Including Personnel and Physical\n    Security Policy Development: Current OCIO staff and any other staff responsible for\n    personnel and physical security policy development need to directly report to the\n    CIO.\n\n\xef\x82\xb7   IT Investment Management Staff: These staff currently report to the CIO.\n\n\xef\x82\xb7   Staff Responsible for Information Assurance: DISA staff within Systems need to\n    indirectly report to the CIO.\n\n\xef\x82\xb7   Staff Responsible for Personnel Security and Suitability Program: The Center for\n    Personnel Security and Project Management staff within the Office of Human\n    Resources need to indirectly report to the CIO.\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                  D-5\n\x0c                                                                        Appendix E\n\nAgency Comments\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)\n\x0c                                          SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      September 9, 2009                                                        Refer To: S1J-3\n\nTo:        Patrick P. O'Carroll, Jr.\n           Inspector General\n\nFrom:      Margaret J. Tittel /s/\n           Acting Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cFollow-Up: The Social Security\n           Administration\xe2\x80\x99s Computer Security Program Compliance\xe2\x80\x9d (A-14-09-19048)--INFORMATION\n\n\n           Thank you for the opportunity to review and comment on the draft report. We appreciate OIG\xe2\x80\x99s\n           efforts in conducting this review. Attached is our response to the report recommendations.\n\n           Please let me know if we can be of further assistance. Please direct staff inquiries to\n           Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.\n\n\n           Attachment\n\n\n\n\n           Follow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                      E-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cFOLLOW-UP: THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nCOMPUTER SECURITY PROGRAM COMPLIANCE\xe2\x80\x9d (A-14-09-19048)\n\n\nRecommendation 1\n\nSSA should centralize its security management structure to ensure a coordinated approach to its\nagency-wide information security program.\n\nComment\n\nWe defer comment until our new Chief Information Officer (CIO) has the opportunity to review\nthe issue of a centralized security management structure. We also plan to convene a workgroup\nto review any underlying issues and make recommendations as appropriate.\n\nRecommendation 2\n\nClearly delineate roles, responsibilities, and lines of communications that report to a single\nmanagement focal point.\n\nComment\n\nWe defer comment on a single management focal point until our new CIO has the opportunity to\nreview the issue. We agree that we need to clearly delineate roles, responsibilities, and lines of\ncommunications. We will convene a workgroup to review any underlying issues and make\nrecommendations as appropriate.\n\nRecommendation 3\n\nEnsure the CIO is delegated with sufficient authority and provided sufficient resources to fulfill\nhis security responsibilities according to applicable laws, regulations, and guidance.\n\nComment\n\nWe defer comment on sufficient delegated authority and resources until our new CIO has the\nopportunity to review the issue. We do support providing additional resources to the CIO for use\nin fulfilling his security responsibilities.\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                            E-2\n\x0cRecommendation 4\n\nUpdate the agency-wide Information Security Program Plan.\n\nComment\n\nWe agree. The CIO\xe2\x80\x99s office is currently reviewing and updating both our agency-wide\nInformation Security Program Plan and our IT Security Strategic Plan. We will be sure to align\nboth documents. We have already aligned our IT Security Strategic Plan with our agency\nStrategic Plan.\n\nRecommendation 5\n\nAs appropriate, ensure written policies and procedures require notification of all agency systems\nusers of certain computer incidents.\n\nComment\n\nWe agree. Agency policy requires that we maintain computer incident response capability. We\nare updating the Incident Reporting Handbook to reflect the responsibilities of our security\nresponse team in notifying all agency systems users, as appropriate, of computer incidents.\n\nWe also include computer incident notification procedures in the Office of Systems/Office of\nTelecommunications and Systems Operations incident response documentation. These\nprocedures should be included in the Information Systems Security Handbook only as a\nreference to the Office of Systems managed documentation. Exposing the procedures to more\nindividuals increases the risk for misuse and it may desensitize employees to the message\ndelivery vehicle if used too frequently.\n\nRecommendation 6\n\nUpdate the Information Systems Security Handbook (ISSH) with the most current and accurate\ninformation and consider further delineating security roles and responsibilities of our agency\ncomponents and security officers related to the subject matter in each chapter. We should\ninclude all security policies or references in the ISSH.\n\nComment\n\nWe agree. We are updating and restructuring the ISSH to include all security policies,\nreferences, accurate organizational names, and reporting relationships. We will further delineate\nthe security roles and responsibilities as appropriate.\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)                         E-3\n\x0c                                                                        Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n   Brian Karpe, Acting Director, Information Technology Audit Division\n\n   Phil Rogofsky, Audit Manager\n\n   Mary Ellen Moyer, Audit Manager\n\nAcknowledgments\nIn addition to those named above:\n\n   Grace Chi, Auditor-in-Charge\n\n   Tina Nevels, Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-09-19048.\n\n\n\n\nFollow-up: SSA\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048)\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"